반응형

문제를 요청한 Kenji Aiko님께 감사 드리며, 출제한 문제에 대한 풀이집을 올립니다.

(Forensic 100)


/////////////////////////////////////////////////////////////////////////////////////////////////////////

 

 

Forensic 100 - writeup

Date. 2016. 11. 07.

Written by crattack

 

 

 

Question.

 

컴퓨터를 사용하다가 컴퓨터가 느려지는 현상이 발견되어, 원인을 파악해 보니 특정 파일에서 지속적으로 인터넷을 연결하는 현상이 감지 되었다. 해당 사이트에 접근해보니 특정 문구가 존재하였다.

해당 사이트에 접근하여 특정 문구인 flag를 획득하시오.

 

コンピュ使用しながらパソコンがくなる現象発見され、原因把握してみると、特定ファイルで続的にインタネットを連結する現象感知された。 当該サイトへアクセスしてみると、特定のフレズが存在した。

当該サイトへアクセスして特定のフレズであるflag獲得しなさい。



Write up.

 

1. 이미지의 정보를 확인 / イメジの情報確認

( http://downloads.volatilityfoundation.org/releases/2.4/volatility_2.4.win.standalone.zip)

C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" imageinfo

 

Volatility Foundation Volatility Framework 2.4

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Determining profile based on KDBG search...

 

          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)

                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)

                     AS Layer2 : FileAddressSpace (C:\Forensic_100\forensic_100.raw)

                      PAE type : PAE

                           DTB : 0x34c000L

                          KDBG : 0x80545ce0L

          Number of Processors : 1

     Image Type (Service Pack) : 3

                KPCR for CPU 0 : 0xffdff000L

             KUSER_SHARED_DATA : 0xffdf0000L

           Image date and time : 2016-10-31 05:45:14 UTC+0000

     Image local date and time : 2016-10-31 14:45:14 +0900

 

2. DLL 리스트를 활용하여, 이상 프로세스 확인 / DLLリストを活用して、異常プロセス確認

 

C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" dlllist > C:\Forensic_100\dlllist.txt

 

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

************************************************************************

System pid:      4

Unable to read PEB for task.

************************************************************************

smss.exe pid:    540

Unable to read PEB for task.

************************************************************************

csrss.exe pid:    604

Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

Service Pack 3

 

Base             Size  LoadCount Path

---------- ---------- ---------- ----

0x4a680000     0x5000     0xffff \??\C:\WINDOWS\system32\csrss.exe

0x7c900000    0xb2000     0xffff C:\WINDOWS\system32\ntdll.dll

0x75b40000     0xb000     0xffff C:\WINDOWS\system32\CSRSRV.dll

0x75b50000    0x10000        0x3 C:\WINDOWS\system32\basesrv.dll

0x75b60000    0x4b000        0x2 C:\WINDOWS\system32\winsrv.dll

0x77f10000    0x49000        0xa C:\WINDOWS\system32\GDI32.dll

0x7c800000    0xf6000       0x1f C:\WINDOWS\system32\KERNEL32.dll

0x7e410000    0x91000        0xa C:\WINDOWS\system32\USER32.dll

0x629c0000     0x9000        0x1 C:\WINDOWS\system32\LPK.DLL

0x74d90000    0x6b000        0x1 C:\WINDOWS\system32\USP10.dll

0x77dd0000    0x9b000        0xd C:\WINDOWS\system32\ADVAPI32.dll

0x77e70000    0x93000        0x7 C:\WINDOWS\system32\RPCRT4.dll

0x77fe0000    0x11000        0x5 C:\WINDOWS\system32\Secur32.dll

0x7e720000    0xb0000        0x1 C:\WINDOWS\system32\sxs.dll

************************************************************************

………………………………………………

 

DumpIt.exe pid:   3784

Command line : "C:\Documents and Settings\Administrator\My Documents\Downloads\DumpIt.exe"

Service Pack 3

 

Base             Size  LoadCount Path

---------- ---------- ---------- ----

0x00400000    0x35000     0xffff C:\Documents and Settings\Administrator\My Documents\Downloads\DumpIt.exe

0x7c900000    0xb2000     0xffff C:\WINDOWS\system32\ntdll.dll

0x7c800000    0xf6000     0xffff C:\WINDOWS\system32\kernel32.dll

0x77dd0000    0x9b000     0xffff C:\WINDOWS\system32\ADVAPI32.dll

0x77e70000    0x93000     0xffff C:\WINDOWS\system32\RPCRT4.dll

0x77fe0000    0x11000     0xffff C:\WINDOWS\system32\Secur32.dll

0x77f60000    0x76000     0xffff C:\WINDOWS\system32\SHLWAPI.dll

0x77f10000    0x49000     0xffff C:\WINDOWS\system32\GDI32.dll

0x7e410000    0x91000     0xffff C:\WINDOWS\system32\USER32.dll

0x77c10000    0x58000     0xffff C:\WINDOWS\system32\msvcrt.dll

0x76390000    0x1d000        0x1 C:\WINDOWS\system32\IMM32.DLL

0x629c0000     0x9000        0x1 C:\WINDOWS\system32\LPK.DLL

0x74d90000    0x6b000        0x1 C:\WINDOWS\system32\USP10.dll

************************************************************************

svchost.exe pid:    1776

Command line : "C:\WINDOWS\svchost.exe"

Service Pack 3

 

Base             Size  LoadCount Path

---------- ---------- ---------- ----

0x00400000     0x9000     0xffff C:\WINDOWS\svchost.exe

0x7c900000    0xb2000     0xffff C:\WINDOWS\system32\ntdll.dll

0x7c800000    0xf6000     0xffff C:\WINDOWS\system32\kernel32.dll

0x10000000     0xa000     0xffff C:\WINDOWS\JDMBackgroundProcess.dll

0x77dd0000    0x9b000     0xffff C:\WINDOWS\system32\ADVAPI32.dll

0x77e70000    0x93000     0xffff C:\WINDOWS\system32\RPCRT4.dll

0x77fe0000    0x11000     0xffff C:\WINDOWS\system32\Secur32.dll

0x00350000    0x6d000     0xffff C:\WINDOWS\system32\MSVCP140.dll

0x003c0000    0x15000     0xffff C:\WINDOWS\system32\VCRUNTIME140.dll

0x003e0000     0x4000     0xffff C:\WINDOWS\system32\api-ms-win-crt-runtime-l1-1-0.dll

0x00410000    0xd8000     0xffff C:\WINDOWS\system32\ucrtbase.dll

0x003f0000     0x3000     0xffff C:\WINDOWS\system32\api-ms-win-core-string-l1-1-0.dll

0x004f0000     0x3000     0xffff C:\WINDOWS\system32\api-ms-win-core-errorhandling-l1-1-0.dll

…………………………..

************************************************************************

………………………….

IEXPLORE.EXE pid:   2304

Command line : "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2496 CREDAT:79880

Service Pack 3

……………………………………………………

 

 

3. 의심 프로세스 덤프 후 분석 / いプロセスダンプ分析

 

C:\Volatility>vol.py -f "c:\forensic_100\forensic_100.raw" procdump --pid=1776 -D c:\forensic_100\

 

Volatility Foundation Volatility Framework 2.4

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Process(V) ImageBase  Name                 Result

---------- ---------- -------------------- ------

0x81f65da0 0x00400000 svchost.exe          OK: executable.1776.exe

 

 



000000001B68   000000403368      0   C:\Program Files\Internet Explorer\iexplore.exe http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd


 

4. 접속 정보 확인 / 続情報確認

 

도메인 확인 / ドメイン確認

 




C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" connections > C:\Forensic_100\connections.txt


 

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Offset(V)  Local Address             Remote Address            Pid

---------- ------------------------- ------------------------- ---

0x8213bbe8 192.168.88.131:1034       153.127.200.178:80           1080

 

Connection 정보와 일치하지 않으므로 도메인 관련 변조가 있을 것으로 추정 / Connection情報一致しないのでドメイン関連変造があると推定

 

5. Hosts 파일 덤프 하기 위해 주소 확인 / Hostsファイルダンプするため住所確認

 

C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" filescan > c:\forensic_100\filescan.txt


 

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Offset(V)  Local Address             Remote Address            Pid

---------- ------------------------- ------------------------- ---

0x8213bbe8 192.168.88.131:1034       153.127.200.178:80           1080

 

Connection 정보와 일치하지 않으므로 도메인 관련 변조가 있을 것으로 추정 / Connection情報一致しないのでドメイン関連変造があると推定


 

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Offset(P)            #Ptr   #Hnd Access Name

------------------ ------ ------ ------ ----

0x0000000001734038      3      0 RWD--- \Device\HarddiskVolume1\$Directory

0x000000000174a270      3      0 RWD--- \Device\HarddiskVolume1\$Directory

0x0000000001756cf8      1      0 R--r-d \Device\HarddiskVolume1??????


?

0x00000000017634f0      1      0 -W---- \Device\HarddiskVolume1??????????????

0x0000000001763c60      1      0 R--r-d \Device\HarddiskVolume1?

0x0000000001794b18      3      0 RWD--- \Device\HarddiskVolume1\$Directory

.........................................

0x00000000020f0268      1      0 R--rw- \Device\HarddiskVolume1\WINDOWS\svchost.exe

0x00000000020f0a90      2      1 ------ \Device\NamedPipe\PCHHangRepExecPipe

0x00000000020f3888      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobeflashcs3.txt

0x00000000020f4f90      1      1 ------ \Device\NamedPipe\net\NtControlPipe8

0x00000000020f5028      2      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\041e

0x00000000020f50d0      2      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\0425

0x00000000020f5e38      3      0 RWD--- \Device\HarddiskVolume1\$Directory

0x00000000020f5f90      3      0 RWD--- \Device\HarddiskVolume1\$Directory

0x00000000020f6108      2      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\040C

0x00000000020f8658      3      0 RWD--- \Device\HarddiskVolume1\$ConvertToNonresident

.............................

0x000000000217b748      1      0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts

………………………

 

Hosts 파일의 메모리 주소를 활용하여 Dump / Hostsファイルのメモリアドレスを活用してDump

 

C:\Volatility>vol.py -f "c:\forensic_100\forensic_100.raw" dumpfiles -Q 0x217b748 --dump-dir=c:\forensic_100\

 

# Copyright (c) 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

#      102.54.94.97     rhino.acme.com          # source server

#       38.25.63.10     x.acme.com              # x client host

 

127.0.0.1       localhost

153.127.200.178    crattack.tistory.com

 

http://153.127.200.178/entry/Data-Science-import-pandas-as-pd



------------------------------------------------------

이상으로 write up을 마칩니다.

오랜만에 문제를 만드니까 즐거웠습니다. ( _ _ )

반응형

+ Recent posts